From 5e37c0f036391301ee41b5b6f11f6eb4b874f5a2 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Mon, 10 Jun 2024 13:40:04 +0200 Subject: [PATCH] Added lxchost.in. --- sources/lxchost.in/01_setupnetworking.sh | 74 +++++++++++++++++++ sources/lxchost.in/02_addremovepackages.sh | 54 ++++++++++++++ sources/lxchost.in/03_configuresystem | 33 +++++++++ sources/lxchost.in/99_setupsystem.sh | 38 ++++++++++ .../lxchost.in/etc/ssh/ssh_host_ed25519_key | 7 ++ .../etc/ssh/ssh_host_ed25519_key-cert.pub | 1 + .../etc/ssh/ssh_host_ed25519_key.pub | 1 + .../etc/ssh/sshd_config.d/99-host-cert.conf | 1 + .../etc/ssh/sshd_config.d/99-user-CA.conf | 1 + .../lxchost.in/etc/ssh/trusted-user-ca.keys | 1 + sources/lxchost.in/etc/sysctl.d/01-lxc.conf | 8 ++ 11 files changed, 219 insertions(+) create mode 100755 sources/lxchost.in/01_setupnetworking.sh create mode 100755 sources/lxchost.in/02_addremovepackages.sh create mode 100755 sources/lxchost.in/03_configuresystem create mode 100755 sources/lxchost.in/99_setupsystem.sh create mode 100644 sources/lxchost.in/etc/ssh/ssh_host_ed25519_key create mode 100644 sources/lxchost.in/etc/ssh/ssh_host_ed25519_key-cert.pub create mode 100644 sources/lxchost.in/etc/ssh/ssh_host_ed25519_key.pub create mode 100644 sources/lxchost.in/etc/ssh/sshd_config.d/99-host-cert.conf create mode 100644 sources/lxchost.in/etc/ssh/sshd_config.d/99-user-CA.conf create mode 100644 sources/lxchost.in/etc/ssh/trusted-user-ca.keys create mode 100644 sources/lxchost.in/etc/sysctl.d/01-lxc.conf diff --git a/sources/lxchost.in/01_setupnetworking.sh b/sources/lxchost.in/01_setupnetworking.sh new file mode 100755 index 0000000..58c4c07 --- /dev/null +++ b/sources/lxchost.in/01_setupnetworking.sh @@ -0,0 +1,74 @@ +#!/bin/sh +set -x + +# network interfaces are: +# ens33: used for internal host network +# ens34: used for internal container bridge +# ens35: used for external container bridge + + +INTERNAL_DEVICE=ens33 +BRI_DEVICE=ens34 +EXTERNAL_DEVICE=ens35 + + +nmcli --terse connection show | grep --invert-match ':lo$' | while read CONNECTION_LINE +do + CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':') + nmcli connection delete uuid "$CONNECTION_UUID" +done + +nmcli connection add \ + connection.autoconnect yes \ + connection.id internal \ + connection.interface-name $INTERNAL_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "10.228.109.30/16" \ + ipv4.dns "10.228.109.159, 10.228.92.159" \ + ipv4.dns-search "in.useribm.hu" \ + ipv4.gateway "10.228.109.254" \ + ipv4.method "manual" \ + ipv6.addresses "2001:1aa1:000a:7dae:0250:56ff:fead:36b1/64" \ + ipv6.dns "2001:1aa1:000a:7dae:000c:18ff:fe03:5c9f, 2001:1aa1:000a:7dae:000c:18ff:fe03:6d9f" \ + ipv6.dns-search "in.useribm.hu" \ + ipv6.gateway "2001:1aa1:000a:7dae:000c:18ff:fe03:6dfe" \ + ipv6.method "manual" \ + save yes + +nmcli connection add \ + connection.autoconnect yes \ + connection.id bri \ + connection.interface-name bri \ + connection.type bridge \ + bridge.stp no \ + ipv4.method "disabled" \ + ipv6.method "disabled" \ + save yes + +nmcli connection add \ + connection.autoconnect yes \ + connection.id brislave \ + connection.interface-name $BRI_DEVICE \ + connection.master bri \ + connection.slave-type bridge \ + connection.type 802-3-ethernet \ + save yes + +nmcli connection add \ + connection.autoconnect yes \ + connection.id brh \ + connection.interface-name brh \ + connection.type bridge \ + bridge.stp no \ + ipv4.method "disabled" \ + ipv6.method "disabled" \ + save yes + +nmcli connection add \ + connection.autoconnect yes \ + connection.id external \ + connection.interface-name $EXTERNAL_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.method "disabled" \ + ipv6.method "disabled" \ + save yes diff --git a/sources/lxchost.in/02_addremovepackages.sh b/sources/lxchost.in/02_addremovepackages.sh new file mode 100755 index 0000000..6170769 --- /dev/null +++ b/sources/lxchost.in/02_addremovepackages.sh @@ -0,0 +1,54 @@ +#!/bin/sh + + +dnf erase \ + bluez \ + c-ares \ + deltarpm \ + dhcp-client \ + f2fs-tools \ + firewalld \ + hunspell \ + inih \ + jq \ + js-jquery \ + memstrack \ + ModemManager-glib \ + nano \ + nilfs-utils \ + ntfs-3g \ + ntfs-3g-libs \ + pcsc-lite \ + pkgconf \ + qrencode-libs \ + selinux-policy \ + udftools \ + unbound-anchor \ + zram-generator + +dnf --setopt=install_weak_deps=False \ + install \ + atop \ + bonnie++ \ + cronie \ + crontabs \ + git \ + logrotate \ + lxc \ + lxc-templates \ + lxcfs \ + mailx \ + man-pages \ + pciutils \ + postfix \ + rsync-daemon \ + rsyslog \ + rsyslog-logrotate \ + screen \ + speedtest-cli \ + sysstat \ + tar \ + unzip \ + vim-enhanced \ + wget \ + zip diff --git a/sources/lxchost.in/03_configuresystem b/sources/lxchost.in/03_configuresystem new file mode 100755 index 0000000..a213290 --- /dev/null +++ b/sources/lxchost.in/03_configuresystem @@ -0,0 +1,33 @@ +#!/bin/sh + + +echo "lxc.lxcpath = /lxc/containers" >/etc/lxc/lxc.conf +echo "fs.inotify.max_user_instances = 1024" >/etc/sysctl.d/lxc.conf + +echo "" >>/etc/dnf/dnf.conf +echo "deltarpm=False" >>/etc/dnf/dnf.conf +echo "fastestmirror=True" >>/etc/dnf/dnf.conf +echo "install_weak_deps=False" >>/etc/dnf/dnf.conf +echo "max_parallel_downloads=10" >>/etc/dnf/dnf.conf + +echo "root:100000:100000" >>/etc/subuid +echo "root:100000:100000" >>/etc/subgid + +echo "change USE_LXC_BRIDGE to false in /etc/sysconfig/lxc-net" +echo "change clean_requirements_on_remove to False in /etc/dnf/dnf.conf" + +echo "@cert-authority *.in.useribm.hu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXYIIzrUSx8/BQ6/ttkSr5oEyB5F5Yg4bp1DOkqDON9 host-CA" >>/etc/ssh/ssh_known_hosts +echo "@cert-authority *.pm.useribm.hu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXYIIzrUSx8/BQ6/ttkSr5oEyB5F5Yg4bp1DOkqDON9 host-CA" >>/etc/ssh/ssh_known_hosts +echo "@cert-authority *.useribm.hu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXYIIzrUSx8/BQ6/ttkSr5oEyB5F5Yg4bp1DOkqDON9 host-CA" >>/etc/ssh/ssh_known_hosts + +hostnamectl set-hostname lxchost.in.useribm.hu +localectl set-locale LANG=en_US.UTF-8 LC_TIME=C.UTF-8 LC_PAPER=C.UTF-8 +timedatectl set-timezone Europe/Budapest + +echo "set up ssh keys/certificates" + +systemctl enable lxc +systemctl enable lxcfs +systemctl enable postfix + +echo "update packages and reboot system" diff --git a/sources/lxchost.in/99_setupsystem.sh b/sources/lxchost.in/99_setupsystem.sh new file mode 100755 index 0000000..495a23c --- /dev/null +++ b/sources/lxchost.in/99_setupsystem.sh @@ -0,0 +1,38 @@ +#!/bin/sh + + +hostnamectl set-hostname lxchost.in.useribm.hu +timedatectl set-timezone Europe/Budapest + +#dnf erase \ +# firewalld \ +# firewalld-filesystem \ +# python3-firewall +dnf erase \ + selinux-policy \ + zram-generator + +dnf install \ + chrony \ + cronie \ + logrotate \ + lxc \ + lxc-templates \ + mailx \ + postfix \ + rsyslog \ + screen \ + vim-enhanced \ + wget2 + +systemctl disable firewalld.service + +systemctl enable logrotate.timer +systemctl enable lxc.service +systemctl enable rsyslog.service + +systemctl start logrotate.timer +systemctl start lxc.service +systemctl start rsyslog.service + +systemctl stop firewalld.service diff --git a/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key new file mode 100644 index 0000000..1c40eaf --- /dev/null +++ b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACA1iH2Z+2TZPaaPpIFV+ypafimCfIYr8JDrsolxnOGkWQAAAIjtYA3x7WAN +8QAAAAtzc2gtZWQyNTUxOQAAACA1iH2Z+2TZPaaPpIFV+ypafimCfIYr8JDrsolxnOGkWQ +AAAEDvUybO4S86jtF4cNmdgyhugj1bSAZZntdzPN72XniawzWIfZn7ZNk9po+kgVX7Klp+ +KYJ8hivwkOuyiXGc4aRZAAAAAAECAwQF +-----END OPENSSH PRIVATE KEY----- diff --git a/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key-cert.pub b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key-cert.pub new file mode 100644 index 0000000..31834e6 --- /dev/null +++ b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key-cert.pub @@ -0,0 +1 @@ +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAII6bN5gImxZtD8/Qq1Uea0TmUlC4kCE4kO5IvuiFvpHxAAAAIDWIfZn7ZNk9po+kgVX7Klp+KYJ8hivwkOuyiXGc4aRZAAAAAAAAAAAAAAACAAAAFWx4Y2hvc3QuaW4udXNlcmlibS5odQAAAAAAAAAAAAAAAP//////////AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAnH/111PHTVbW73hpsG3Z0SX2CCLc8SpoEZM5adJOq+QAAAFMAAAALc3NoLWVkMjU1MTkAAABACsEelN95x8SyABbNcGIP6z9cRc8lvBBCErMJESyHROe1a4l8xQQ11Am3mqJDX7Q9jobiSzhjtrT9cCcZCgOICA== ssh_host_ed25519_key.pub diff --git a/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key.pub b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..f77e1ab --- /dev/null +++ b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWIfZn7ZNk9po+kgVX7Klp+KYJ8hivwkOuyiXGc4aRZ diff --git a/sources/lxchost.in/etc/ssh/sshd_config.d/99-host-cert.conf b/sources/lxchost.in/etc/ssh/sshd_config.d/99-host-cert.conf new file mode 100644 index 0000000..173b545 --- /dev/null +++ b/sources/lxchost.in/etc/ssh/sshd_config.d/99-host-cert.conf @@ -0,0 +1 @@ +HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub diff --git a/sources/lxchost.in/etc/ssh/sshd_config.d/99-user-CA.conf b/sources/lxchost.in/etc/ssh/sshd_config.d/99-user-CA.conf new file mode 100644 index 0000000..115882b --- /dev/null +++ b/sources/lxchost.in/etc/ssh/sshd_config.d/99-user-CA.conf @@ -0,0 +1 @@ +TrustedUserCAKeys /etc/ssh/trusted-user-ca.keys diff --git a/sources/lxchost.in/etc/ssh/trusted-user-ca.keys b/sources/lxchost.in/etc/ssh/trusted-user-ca.keys new file mode 100644 index 0000000..84d19e3 --- /dev/null +++ b/sources/lxchost.in/etc/ssh/trusted-user-ca.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcf/XXU8dNVtbveGmwbdnRJfYIItzxKmgRkzlp0k6r5 user-CA diff --git a/sources/lxchost.in/etc/sysctl.d/01-lxc.conf b/sources/lxchost.in/etc/sysctl.d/01-lxc.conf new file mode 100644 index 0000000..77fcb19 --- /dev/null +++ b/sources/lxchost.in/etc/sysctl.d/01-lxc.conf @@ -0,0 +1,8 @@ +#fs.inotify.max_queued_events = 16384 +# This is the default. + +fs.inotify.max_user_instances = 1024 +# The default is 128. + +#fs.inotify.max_user_watches = 8192 +# This is the default. -- 2.54.0